From owner-freebsd-isp@FreeBSD.ORG Tue Aug 30 11:10:53 2005 Return-Path: X-Original-To: freebsd-isp@FreeBSD.org Delivered-To: freebsd-isp@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E435616A41F for ; Tue, 30 Aug 2005 11:10:53 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3863343D45 for ; Tue, 30 Aug 2005 11:10:52 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j7UBAnAQ073769 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Aug 2005 15:10:49 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j7UBAnw0073768; Tue, 30 Aug 2005 15:10:49 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 30 Aug 2005 15:10:49 +0400 From: Gleb Smirnoff To: Ganbold Message-ID: <20050830111049.GK60614@cell.sick.ru> References: <6.2.1.2.2.20050830190113.035378e0@202.179.0.80> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <6.2.1.2.2.20050830190113.035378e0@202.179.0.80> User-Agent: Mutt/1.5.6i Cc: freebsd-isp@FreeBSD.org Subject: Re: ng_netflow and bridging firewall X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2005 11:10:54 -0000 On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote: G> I'm newbie to ng_netflow and I'm trying to collect Netflow traffic from G> FreeBSD 5.4 machine. Collector (flow-tools) runs on same machine. G> This FreeBSD has 3 interfaces and it acts as bridging firewall using IPFW2. G> It also uses dummynet. G> G> host# ifconfig G> xl0: flags=8943 mtu 1500 G> options=9 G> ether 00:10:5a:5b:e5:e3 G> media: Ethernet 100baseTX G> status: active G> xl1: flags=8943 mtu 1500 G> options=9 G> ether 00:04:76:dc:7f:d1 G> media: Ethernet 100baseTX G> status: active G> vr0: flags=8843 mtu 1500 G> inet x.x.x.x netmask 0xffffffe0 broadcast x.x.x.x G> ether 00:0b:6a:24:f6:ab G> media: Ethernet autoselect (100baseTX ) G> status: active G> G> I'm running ng_netflow module and ngctl with following parameters: G> G> ngctl mkpeer xl1: tee lower right G> ngctl connect xl1: xl1:lower upper left G> ngctl name xl1:lower xl1_tee G> ngctl mkpeer xl1_tee: netflow left2right iface0 G> ngctl name xl1:lower.left2right netflow G> ngctl connect xl1_tee: netflow: right2left iface1 G> ngctl msg netflow: setifindex { iface=0 index=2 } G> ngctl msg netflow: setifindex { iface=1 index=1 } G> ngctl mkpeer netflow: ksocket export inet/dgram/udp G> ngctl msg netflow:export connect inet/127.0.0.1:8818 G> G> I'm just using second xl1 interface for ng_netflow. However when I see the G> flow data I can only see my network addresses in G> the dstIP field. Is it correct? I thought both srcIP, dstIP should contain G> my IPs, because I'm trying to catch traffic which goes both directions of G> xl1. Is my assumption correct? If I'm wrong, how to make it work in correct G> way? No. Look at ng_ether(4) manpage, and draw your graph. You are catching only one direction with the above script. G> Another issue is firewall dynamic rules count almost doubles when starts G> ng_netflow traffic. Is it correct? G> How can I fix this? I know that bridge(4) has a conflict with ng_ether(4). This is fixed in RELENG_6, and is not going to be fixed in RELENG_5 due to ABI freeze. You can try 6.0-BETA3 in this configuration. Probably the your ipfw problem is related to this conflict between bridge and ng_ether. G> Also how can I include first interface xl0 to the ng_netflow configuration? Read the netgraph manual pages and draw graph, then change the script so that a new graph is built. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE